Bug#1041746: curl: libcurl4 links to a superset of libraries compared to libcurl3-gnutls

Daniel Kahn Gillmor Sat, 22 Jul 2023 17:27:20 -0700

Source: curl
Version: 7.88.1-10
Severity: normal
X-Debbugs-Cc: d...@fifthhorseman.net


libcurl4 (and indeed, libcurl3-nss) both ship shared objects that
themselves link to a set of shared objects that are a strict superset
of the shared objects linked to by libcurl3-gnutls:

```
0 dkg@alice:~$ libs() { ldd "$1" | sort | sed s/0x.*// ; }
0 dkg@alice:~$ diff -u <(libs /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.8.0 
) <(libs /usr/lib/x86_64-linux-gnu/libcurl-nss.so.4.8.0)
--- /dev/fd/63  2023-07-22 17:17:42.627000390 -0700
+++ /dev/fd/62  2023-07-22 17:17:42.627000390 -0700
@@ -18,12 +18,18 @@
        libldap-2.5.so.0 => /lib/x86_64-linux-gnu/libldap-2.5.so.0 (
        libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8 (
        libnghttp2.so.14 => /lib/x86_64-linux-gnu/libnghttp2.so.14 (
+       libnspr4.so => /lib/x86_64-linux-gnu/libnspr4.so (
+       libnss3.so => /lib/x86_64-linux-gnu/libnss3.so (
+       libnssutil3.so => /lib/x86_64-linux-gnu/libnssutil3.so (
        libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (
+       libplc4.so => /lib/x86_64-linux-gnu/libplc4.so (
+       libplds4.so => /lib/x86_64-linux-gnu/libplds4.so (
        libpsl.so.5 => /lib/x86_64-linux-gnu/libpsl.so.5 (
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (
        librtmp.so.1 => /lib/x86_64-linux-gnu/librtmp.so.1 (
        libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (
        libssh2.so.1 => /lib/x86_64-linux-gnu/libssh2.so.1 (
+       libssl3.so => /lib/x86_64-linux-gnu/libssl3.so (
        libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (
        libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (
1 dkg@alice:~$ diff -u <(libs /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.8.0 
) <(libs /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0)
--- /dev/fd/63  2023-07-22 17:17:48.623045082 -0700
+++ /dev/fd/62  2023-07-22 17:17:48.623045082 -0700
@@ -24,6 +24,7 @@
        librtmp.so.1 => /lib/x86_64-linux-gnu/librtmp.so.1 (
        libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (
        libssh2.so.1 => /lib/x86_64-linux-gnu/libssh2.so.1 (
+       libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (
        libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (
        libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (
1 dkg@alice:~$ 
```

What advantage is there for the library to link to these extra
libraries?  libcurl-gnutls seems like the minimal implementation here.

            --dkg

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information

Bug#1041746: curl: libcurl4 links to a superset of libraries compared to libcurl3-gnutls

Reply via email to